Wandera’s security research team has recently encountered two malicious mobile applications masquerading as legitimate apps and threatening the security of a few of our customers’ mobile fleets.

Our investigation was triggered when mobile applications labeled “iTunes U” and “WebMD” were flagged by Wandera’s sophisticated intelligence engine MI:RIAM, as generating malicious network traffic. At first glance, these of course sound like reputable apps that the average company’s IT department wouldn’t flag as risky.
Upon further analysis at both the data and device level, it was discovered that these mobile applications weren’t “iTunes U” or “WebMD” at all. They were entirely different applications that were intentionally attempting to appear innocent. They were connecting to suspicious IP addresses’ and making end-user devices susceptible to malware.
The implications of these rogue app installations could have been disastrous for our customers had they not been recognized and halted by Wandera.
malicious mobile applications

The “iTunes U” Fake Out

The first instance occurred at a North American company when MI:RIAM detected a risky app download by an end-user. The app that appeared to have been installed was called “iTunes U”. For the average IT department, the buck would stop there and the device would likely be ignored. Wandera’s threat detection team, however, knew better. MI:RIAM recognized that this app was not “iTunes U”. It was in fact, an app called “Podcruncher”, a player and manager for podcasts.
Podcruncher was masking itself behind a user agent and trying to present itself as the “iTunes U” app in order to hide from security scanners. Wandera could immediately tell that this was the case due to the suspect web traffic coming from the device. This application has routinely communicated with suspicious IP addresses that have been known to previously host malware.
By installing this app on his device, the end-user was exposing the company to a huge risk. At any time, the app could have infected the device with malware, allowing hackers to easily access private company files, passwords, bank account numbers and any other information stored on the device. Wandera was able to take immediate action and stop the application in its tracks before it resulted in any leaked information.
mobile applications iTunes

The “WebMD” Jailbreak

A similar situation occurred when MI:RIAM flagged an app presenting itself as “WebMD” as malicious. Again, this was an application that seemed relatively harmless by name, however, at the data level, it was engaging in suspicious network traffic. In late February Wandera observed the “WebMD” app accessing a site that is designed to jailbreak the device using some rather sneaky real-time exploits. This gave us reason to believe the user had semi-jailbroken his device.
The app the end-user had installed to jailbreak his phone was called “semi jailbreak”. This app identified itself as the “WebMD” app in a clear attempt to hide from detection tools. It installed a risky profile on the device allowing the end-user to access third party app stores. These app stores are often entry points for dangerous or poorly built apps and other threats. Many of these mobile applications have also been found to host malicious malware.
Obviously, by semi-jailbreaking her device, the user was exposing both herself and the company to an unwanted security risk. Thankfully, Wandera was able to detect the threatening behavior of the application and block it at the web level while working with the customer to prevent the vulnerability from becoming a reality.
malicious mobile applications

Protecting your business from malicious mobile applications

Evidently, detecting threats to your mobile fleet is not as easy as monitoring installed app labels and generating a predetermined list of sites to block. Both of the above threats seemed quite innocent at surface level and would not have been detected had it not been for the granular insights Wandera provided and the machine intelligence of MI:RIAM.
A real-time multi-level threat detection product is required to detect abnormal app behaviour at the both the data and device levels. Additionally, a content filtering solution is recommended to proactively block these types of threats before they impact the device. Wandera is able to detect rogue app web traffic requests from the device instantaneously and block them at the proxy level. This way, the threat never reaches the device.
Partnering with an EMM solution allows for security solutions like Wandera to gain a deeper view of all assets and applications on the user device. As an added benefit, Wandera can specifically instruct the EMM to remove an app, or quarantine a device altogether, if and when threats occur.
[text-blocks id=”threat-advisories”]